Information Asset Valuation Procedure

(Internal)

REFERENCE:SR 11.0
REVISION: 1.0
LAST UPDATED ON: 10.08.14

ISSUED BY

REVIEWED BY

APPROVED BY

Name:

Muhammad Al Amassi

Dr. Alexe Petcov

Dirk Doerrschuck

Title:

Quality Management
Representative/ QMR

Director Professional
Services

CEO/ President

Date:

10.08.14

10.08.14

10.08.14

Signature:

INFORMATION ASSET VALUATION

PROCEDURE

Reference:

SR 11.0

Rev:

1.0

Last Updated

10.08.14

DOCUMENT INFORMATION
Information Asset Valuation Procedure

Document Title
Document Status
Document Version
Document Classification
Document Owner
Printing Allowed
Distribution Restriction (s)
Copyright / IPR Note
Annexures / References

Approved
1.0
Internal
Director BU-ICT
Yes
Property of DETASAD (Detacon Al Saudia)

Revision History
Date of Update

Updated by

Major Changes

Updated Version

10.08.14

Mohammad Al
Amassi

Document Baselined

1.0

DETASAD Controlled Document

Page 2 / 8

INFORMATION ASSET VALUATION

PROCEDURE

Reference:

SR 11.0

Rev:
Last Updated

1.0
10.08.14

1. PURPOSE & SCOPE

1.1

The document expresses the procedural steps and guidance required to perform Information
Asset Valuation.
The document is applicable on departments and processes involved in processing and
handling of classified information and information assets, i.e. BU-ICT, Financial Affair and
Human Resource and Administration Department.

1.2

2. PROCESS ROLES
ROLE

RESPONSIBLE FOR

Director BU-ICT

Risk Assessment Team

Ensuring his support for Risk Assessment Team through availability of

key human resources, and information on key information assets.
Designated personnel appointed to perform Asset Valuation for
DETASAD after collecting insights, suggestions and inputs from
departments in the scope of ISMS.

3. DEFINITIONS AND ABBREVIATIONS

Word / Terminology /
Concept

ISMS
Information Asset
Process
Risk Assessment Team
Asset Valuation Criteria

Definitions and Abbreviations

Information Security Management System based on ISO 27001

international standard
An Asset which effects information through processing, storage,
transfer, disposal, duplication and/or modification
Steps and activities performed to achieve departmental and company
objectives and targets, including activities related to ISMS
<Designations>
Criteria defined to calculate importance of an information asset in light
of Confidentiality, Integrity and Availability.
Note: See Annexure A for Criteria definitions.

4. DOCUMENTS AND RELATED TEMPLATES

SN
1.

Document Title

Document Owner

Document
Location

Document
Retention

Asset and Risk Management

Tool

Asset & Risk

Management Tool-Final.xlsx

DETASAD Controlled Document

Page 3 / 8

INFORMATION ASSET VALUATION

PROCEDURE

Reference:
Rev:
Last Updated

SR 11.0
1.0
10.08.14

5. PROCESS FLOW
Start

Inventory of
Information Asset
(Worksheet 1)

Asset and Risk

Management Tool

Enter Asset ID
and
Appropriate
Classification

Identify Asset
Owner

Inventory of Asset

Performing Asset
Valuation
(Worksheet 2)

Give
Appropriate
CIA Criteria

Identify the
Asset and its
Category

Asset Value is
Higher Than
Normal

Information Asset
Risk Management

Value of Asset

Asset Value is
Normal

DETASAD Controlled Document

Asset and Risk

Management Tool

Risk Management
Procedure

End of Process

Page 4 / 8

INFORMATION ASSET VALUATION

PROCEDURE

Reference:

SR 11.0

Rev:

1.0

Last Updated

10.08.14

6. PROCESS STEPS
Input (s)
- Scope of ISMS
- Identified Processes
- Index of Classified Information
Steps Activities
Inventory of Information Assets
1.
Identify the information asset to be assessment for risks, and enter it in
Worksheet 1 of Asset and Risk Management Tool.

2.

3.

4.

Note:
a. Information assets can be identified as One Group, but the inventory
of information assets must identify them as the said group.
b. Worksheet 1 is an inventory of Information Assets with their
relation and criticality with Classified Information Defined.
c. Information Asset columns requires brand name and model of the
information asset under question.
Enter the information asset type.
Note: type refers to whether asset is a computer, network switch, laptop,
server, etc.
Select the Classification Level of the highest level of classified
information being processed.
Note:
a. The criticality of an information asset is determined on the basis of
the highest level of classified information being processed in it.
b. Refer to Information Classification and Labelling Procedure for
classification of information.
Provide the assets Asset ID in the appropriate column.

Note: In case of a Group Asset, Group ID can be designated and used.

5.
Identify the owner of the information asset and enter in Owner
column.
6.
Identify the custodian of the information asset (if different from
Owner) and enter in Custodian column.
7.
[Optional]: for any special notes, please use the notes column, for
example description of assets security relevance, its criticality, etc.
Performing Asset Valuation
8.
Switch to Worksheet 2 for performance of Asset Valuation.
9.
To perform Asset valuation of an asset, select Asset Title from
Worksheet 1 and enter in Worksheet 2s appropriate column.
10.
Provide Asset Category of the asset selected.

Entry Criterion
- New Identified
Information Assets
- Information Asset to
be Valuated
Responsible Role
Risk Assessment Team

Risk Assessment Team

Risk Assessment Team

Risk Assessment Team

Risk Assessment Team

Risk Assessment Team
Risk Assessment Team

Risk Assessment Team

Risk Assessment Team
Risk Assessment Team

Note: Asset category refers to how an information asset is effecting

information i.e. storing, duplication, processing, disposal, transfer and/or
modification. In case an information asset can perform all these function,
you can simply write ALL.
DETASAD Controlled Document

Page 5 / 8

INFORMATION ASSET VALUATION

PROCEDURE
11.
12.
13.
14.
15.

Reference:
Rev:

1.0

Last Updated

Give the Asset ID as given in Worksheet 1.

Consult Annexure A of this procedure, select appropriate Confidentiality
Criteria.
Consult Annexure A of this procedure, select appropriate Availability
Criteria.
Consult Annexure A of this procedure, select appropriate Availability
Criteria.
Add all 3 values selected to evaluate Value of asset (using Asset
Valuation Formula)
Note: Value of Asset falling into Normal range will automatically fall
into Risk Acceptance criteria and shall not be assessed for risks, and will
not be considered part of Risk Treatment plan directly.
[Optional]: add additional notes in the final column if required.

16.
Output(s)
- Information Asset Valuation
- Identification of Information Asset Class

SR 11.0

10.08.14

Risk Assessment Team

Risk Assessment Team
Risk Assessment Team
Risk Assessment Team
Risk Assessment Team

Risk Assessment Team

Exit Criterion
- Complete Valuation
of identified
Information Assets

7. KEY PERFORMANCE INDICATORS (KPI)

OBJECTIVE

NA

DETASAD Controlled Document

KPI

TARGET

RESP.

FREQUENCY OF
MEASUREMENT

NA

NA

NA

NA

Page 6 / 8

INFORMATION ASSET VALUATION

PROCEDURE

Reference:
Rev:
Last Updated

SR 11.0
1.0
10.08.14

8. Procedure Checklist
No.

Activity

Identify the information asset to be assessment for risks, and enter it in Worksheet
1 of Asset and Risk Management Tool.
Enter the information asset type.

Verified?

Enter the Classification Level of the highest level of classified information

being processed.

Provide the assets Asset ID in the appropriate column.

Identify the owner of the information asset and enter in Owner column.
Identify the custodian of the information asset (if different from Owner) and enter
in Custodian column.
[Optional]: for any special notes, please use the notes column, for example
description of assets security relevance, its criticality, etc.
Switch to Worksheet 2 for performance of Asset Valuation.
To perform Asset valuation of an asset, select Asset Title from Worksheet 1 and
enter in Worksheet 2s appropriate column.
Provide Asset Category of the asset selected.
Give the Asset Type as given in Worksheet 1.
Give the Asset ID as given in Worksheet 1.
Consult Annexure A of this procedure, select appropriate Confidentiality Criteria.
Consult Annexure A of this procedure, select appropriate Availability Criteria.
Consult Annexure A of this procedure, select appropriate Availability Criteria.
Add all 3 values selected to evaluate Value of asset (using Asset Valuation
Formula)
[Optional]: add additional notes in the final column if required.

5
6
7
8
9
10
11
12
13
14
15
16
17

Process Owner Sign Off

Date

DETASAD Controlled Document

Page 7 / 8

INFORMATION ASSET VALUATION

PROCEDURE

Reference:
Rev:
Last Updated

SR 11.0
1.0
10.08.14

Annexure A: Asset Valuation Criteria

Confidentiality Criteria

Integrity Criteria

Availability Criteria

Asset Valuation Score

Asset Valuation Formula
Asset Value Classes

DETASAD Controlled Document

1 Unauthorized access of information asset will not compromise

business interests and ISMS, or its effects can be ignored
2 Unauthorized access of information asset will compromise ISMS and
may have effects on internal processes and information assets of
organization
3 Unauthorized access of information asset will compromise ISMS as
well as processes and agreements with customers and/or stakeholders
1 corrupted, inaccurate or incomplete information, process or
information asset will not compromise business interests and ISMS, or
its effects can be ignored
2 - corrupted, inaccurate or incomplete information, process,
information asset will compromise ISMS and may have effects on
internal processes and assets of organization
3 - corrupted, inaccurate or incomplete information, process,
information asset will compromise ISMS as well as processes and
agreements with customers and/or stakeholders
1 unavailability of information asset will not compromise business
interests and ISMS, or its effects can be ignored
2 unavailability of information asset will compromise ISMS and may
have effects on internal processes and assets of organization
3 unavailability of information asset will compromise ISMS as well as
processes and agreements with customers and/or stakeholders
Score or Value of an asset in an organization in light of ISMS i.e.
Confidentiality, Integrity and Availability.
(Confidentiality Criteria) + (Integrity Criteria) + (Availability Criteria)
(3) Normal
(4 7) High
(8 9) Critical

Page 8 / 8